When I am traveling I frequently publish my travel stories from internet cafés on this weblog. However, these places are not the safest computing places. I have seen a lot of worrying messages from virus scanners nobody pays attention to.

Because of this I have been searching for ways to improve security. One measure I took was installing the Semisecure Login Reimagined plugin to send the WordPress password encrypted from the browser to the server (a better way is to use SSL, but my hosting provider doesn’t support that).

However, sending the password encrypted doesn’t prevent keylogging. A possible solution is to use a virtual keyboard (on-screen keyboard). Because I don’t want to search for or install a virtual keyboard each time, I wanted a virtual keyboard integrated in my login screen. I couldn’t find something existing, so I decided to write a new WordPress plugin to accomplish this. The short name of this plugin is WP-Login-Vkb.

After pressing the keyboard icon next to the password box, my login screen looks like this now:

I hope the just released version 1.3 does what you want; let me know if it does not. It was a good idea to use the focus event to display the virtual keyboard when it is mandatory. Losing the focus removes the keyboard too.

Great thanks for that, it looks lengthy and will digest it. It doesn’t matter for I.E., I use FF a lot.
I used One-Time password already, tks again and both work fine with WP2.8.3 locally and remotely.

Using an onscreen keyboard does not fool but the most basic (stupid) keyloggers/spywares. I can recommend the comparison of technologies at kyps.net/home/comparison for different approaches and their advantages and disadvantages.

I think it is quite obvious: there is nothing to stop the spyware to capture your input – no matter how exactly this input is made. Keyloggers/Spyware nowadays can capture areas that have received mouse clicks, the clipboard, and all sorts of system calls. Use google to find out…

I don’t deny that more advanced keyloggers can and will capture input from other sources than the keyboard. However, I am not convinced that data captured in that way is used on a large scale (in an automated way) for malicious purposes, yet.

With the lack of reliable sources of information about what is really going on “in the wild” (and I would expect that this may greatly vary by location) I can only speculate. And basing security decisions on speculation – well that’s the definition of risk, isn’t it?